DEF CON 29 - Paz Hameiri - TEMPEST Radio Station

00:10 - First allow me to introduce myself. I’ve been developing hardware and software for more than 30 years and I’m working as a system engineer for more than a decade.

00:21 - I started my professional career very early.

00:25 - During my teen years, I cracked games and develop software tools.

00:29 - One of the software tools that I’ve developed was called the Message Sticker.

00:34 - And during Defcon25, Inbar has showed code that he had coded to deactivate the Message Sticker.

00:42 - He called his software Unpazz and Undefpazz.

00:50 - Okay, so what is Tempest? Tempest is a US NSA specification and NATO certification.

00:57 - The acronym refers to information leakage from a system through unintentional radio signals or audio signals or electrical signals and so on.

01:08 - In 1985, the researcher Will Van Eck published the first unclassified analysis of the problem.

01:15 - He analyzed information leakage from computer monitors, but government researchers were already aware of the problem.

01:24 - The US army became aware that the equipment the army is using during World War Two was emitting unintentional electromagnetic waves.

01:37 - And that these electromagnetic waves, the unintentional electromagnetic waves are carrying valuable data, classified data out of the device.

01:48 - And since the ‘50s, the NSA is developing specification and certification for classified devices in order to reduce these unintentional emissions by grounding the equipment, shielding the equipment, separating different types of data lines and so on.

02:13 - Okay. How did they ended up doing that project name, Tempest Radio Station? Well, I read “TEMPEST@Home-Finding Radio Frequency Side Channels” by Davidov Oldenburg.

02:26 - They wrote about their experiments transmitting electromagnetic waves from a computer to a remote receiver, 50 feet away, and they manipulated the GPU clock to control the transmission.

02:42 - And one of the most important thing that I found in their work was, until then I thought or I guess that the electromagnetic waves emission regulation tests are preventing computers and cars from the emitting much energy into the air.

03:06 - And I was wrong. Another thing I learned from their work was the use of software-defined radio receivers or SDRs receivers.

03:16 - These are cheap radio receivers. The most common radio receivers of this type are generable from almost zero to two gigahertz and they have really good reception quality.

03:30 - So I bought one and I study the electromagnetic emissions generated by my laptop, and I got very interested by this work.

03:44 - And I started wondering, what can I do with it? How far can I transmit data using these emissions? And is it possible to transmit audio in real time and above all how hard can it be? So to figure it out, I decided to start the Tempest radio station project transmitting audio in real time using these emissions and who knows how hard can it be? So first I have a project then I need to define the project goals.

04:28 - The first goal was tunable frequency, and this is very important because if there are a lot of computers in a single area, and I want to extract data from one computer, I need to separate the data it is transmitting from the other.

04:44 - And perhaps I want to receive more than one computer in the same area.

04:48 - So I need to have a dedicated frequency per computer.

04:54 - Very similar to radio stations. Each radio station has its own frequency.

05:01 - And the second reason for tunable frequency is that if you can choose the frequency, then you can find a quiet, relatively quiet frequency band with as little interference as possible and transmit the data in that frequency band and get a good signal to noise ratio, which is important for reception.

05:28 - Another goal for the probe for the project was maximum bit rate to maximize the audio quality.

05:35 - The third goal was innocent looking software to avoid detection for obvious reasons and last but not least, trying to achieve maximum distance.

05:50 - Okay. So let’s begin with the crash course about radio waves transmission.

05:58 - When you take a conductor and you pass time-varying electric current through it, it will emit electromagnetic radiation that will propagate from it to space and reception works the other way around, if an electromagnetic radiation is close to a conductor, it will generate time varying electric current in it.

06:26 - And this is the transmission and reception of electromagnetic waves in a nut shell.

06:32 - This could be done with any conductor, it could either be wires or for this project, PCB traces, PCB is the printed circuit boards that carry the electric components inside the computers.

06:48 - Traces are the fine wires within the PCB that connect between the terminals of the electrical components.

06:59 - And that’s radio waves crash course. Another important thing to understand about broadcasting is modulation.

07:10 - Modulation is the manipulation that we do on the carrier wave, the expanding electromagnetic waves in order to make it carry the data that we wanted to carry.

07:27 - Most of you probably heard about amplitude modulation and frequency modulation, which are the two common methods used by commercial radio.

07:37 - But there other types of population, the most simple type of modulation is the On-Off Keying, you have an energy source, you turn it on it emits energy, you turn it off, stops emitting energy, and you can put the data or encode the data in the duration of the purse.

07:58 - And if the transmitter and receiver has the same protocol, then they can pass the data from one to another.

08:07 - The most common and known On-Off Keying modulation use is Morse code.

08:15 - Morse code has only two symbols, short pulse and the long pulse and you use those two symbols to transmit the whole alphabet, words, sentences and so on.

08:31 - Okay. So we understand that we can turn PCB traces in the computers into a electromagnetic waves generators.

08:42 - And we know that if we can take a line and make it emit energy at our will and control the duration, and stop the line from emitting energy at our will.

08:59 - Then we have On-Off Keying modulation. Now we need to have such a signal.

09:06 - Okay. So the signals I decided to use where the signals between the GPU and the GDDR, the GDDR is the memory installed in the graphic cards and the GPU perform memory read and write operations by operating the control and data lines of the GDDR, here you can see in this slide, a tiny diagram of GDDR6 which is a common memory type list.

09:39 - And there are four major lines that the GPU is operating.

09:45 - The two signals in the upper side of the graph, are CK and CA, CA is the commanding signal.

09:57 - And the GPU use the commanding signals to command the memory to do a right operation or a read operation.

10:03 - And CK is the clock of CA it helps the GPU to command the memory.

10:11 - Similar to that the two lower signals, the data signal carries the data itself.

10:18 - And WCK is the clock of the data. Whenever the GPU is performing a write operation or a read operation, it operates these lines when it is not performing a read or write operation, it is not operating these lines.

10:35 - And this is the key to the On-Off Keying, meaning that when we want to transmit the symbol, we start a memory read and write.

10:45 - And ration of the operation is predefined by us.

10:51 - And when it ends, the energy stopped being transmitted.

10:58 - Okay, let’s talk about the duration of the pulse.

11:02 - The electromagnetic radiation, as I explained, is submitted when the control and data lines are active, it is not emitted when it is not active.

11:10 - So we need now to control the duration. There is almost linear connection between the time it takes to write a batch of bytes and the size of the batch of the bytes.

11:25 - So if we have a small volume of bytes to write, it will be a short operation.

11:30 - If we have big volume of bytes to write, then it will be a very long writing operation.

11:39 - And that’s the key to control the symbol length.

11:44 - Whenever we are performing a memory transfer, a symbol will be transmitted, and the duration is predefined by the amount of bytes that are going to be read than written during the memory transfer.

12:06 - As I explained, the connection between similar duration and similar bite count is almost linear.

12:13 - This is because the GPU hardware is using dedicated hardware to perform a large memory transfers.

12:23 - And this dedicated hardware is time deterministic.

12:28 - So to define the On-Off Keying protocol between the transmitter and the receiver, I need to predefine to both what is a symbol.

12:41 - And I define the symbols in the following manner.

12:44 - The symbol duration equals two symbol value plus one multiplied by a time constant that both the transmitter and the receiver know in advance, the plus one helps me to avoid a zero duration if I have a zero symbol value.

13:05 - In order to transmit these symbols, I need to transfer a known amount of bytes.

13:15 - So the symbol transfer size, which is relative to the symbol duration equals symbol value plus one multiplied by a bytes constant.

13:25 - And as I explain, there is a linear relationship between the time constant and the byte constant.

13:30 - So if I do a very large memory transfer measure the time it takes to perform the transfer, then I get the ratio between bytes constant and time constant.

13:45 - And that’s the whole story. Here you can see it graphically, in the upper graph you see the energy being emitted for three different symbols, in the lower graph you can see the relation between the calculation I showed you in the last slide and the amount of time it takes to transmit each symbol.

14:16 - Here, you can see, for example, the symbol value five, you add one to it you get six, six multiplied by time constant.

14:22 - And this is the size of the symbol. Again, you can see it for a symbol value three and symbol value eight.

14:31 - Why using the GDDR memory. When I chose the GDDR memory, I had good reasons following the project goals, the first and most important was that it has tunable frequency.

14:48 - You can set the memory, the GDDR memory frequency by APIs that are available.

14:56 - It’s very easy to do so and I did it. The second thing was because the hardware is very time deterministic and it helped me build solid, good symbols, which are transmitted and then received and because it is very time deterministic I can get the same results over and over offer on different computers and different hardware.

15:25 - And most of the time, the GPU is idle because when it’s not in use it’s idle.

15:32 - And when it is idle is not doing anything and it’s a free resource, then why not use it? So I used it.

15:45 - This is Scotty. Scotty is the transmission software it is installed in the stolen the computer that is broadcasting the data, the audio, on the top left, you see a GPU list.

16:01 - And here you select the GPU that you want to use, the graphical card that you want, the graphics card, sorry.

16:09 - And below that you have two check boxes to start the transmission.

16:14 - The first one is for intelligence testing and the other one is to transmit the Wi-Fi.

16:18 - The name of the Wi-Fi is written in the line down below and to the right of GPU list you see memory clock.

16:28 - This is WCK, the data memory clock. To its right you can see a divided value and the data value, the data value is the value of the data that is being written in the memory.

16:40 - And you can see memory based clock. This is CA the command clock, the relationship between the memory clock and the base clock is in this case four.

16:50 - And the values here are relative to each graphic card.

16:57 - The graphic card can tell you the type of memory that it is installed inside the graphic card.

17:07 - Then from the parameters, it gives you, you can get these numbers, below memory clock you see base clock shift.

17:18 - This is the way that I’m moving the base clock and tuning the base clock to its right you can see a shift frequency checkbox that command the Scotty to perform the frequency shifts and to its right you can see the center frequency.

17:37 - This is the frequency that Scotty is calculating by adding the memory based clock to base clock shift.

17:46 - And this is the result, more important is the indicator below it, which is called measured transmission frequency, because this is the transmission frequency that the GPU is measuring.

18:01 - And this is the actual frequency that is carrying the data.

18:07 - Below base clock shift you see two bit rate indicators, the lower one data bit rate is showing you the data bit rate, but only the data.

18:20 - This is the pure data bit rate and the raw bit rate equals to the data bit rate plus additional bits that are used for control and monitoring to build a data packet.

18:41 - The last indicator is data transmitted in percentage which is the percentage of the data that was transmitted from the Wi-Fi.

18:53 - Okay. So what does Scotty do? Scotty is doing the foreign tests, it’s measuring the time required to perform loud GPU memory transfers.

19:06 - It is calculating the bytes constant for a predefined time constant, which is predefined for both transmitter and receiver.

19:17 - It is setting the GDDR memory clock frequency, or broadcasting frequency, and it is loading a wave file and transmitting 8,000 audio PCM samples every second.

19:30 - I targeted the CK clock, the command clock as my main broadcasting frequency.

19:40 - And this is why I’m referring to setting GDDR memory clock frequency as setting the transmission frequency.

19:51 - Okay, so we have the wave file and it is broken by Scotty every second to a thousand audio PCM samples.

20:00 - And then it is transmitting the 8,000 audio PCM samples in one second intervals.

20:09 - And first it is encoding the 8,000 audio PCM samples.

20:13 - Then it is bundling the data into packets, according to protocol to a protocol, sorry, and the protocol comprises header bytes, Read-Solomon forward error correction parity bytes to for error-correction recovery at the receiver, audio packets counter to count how many packets were already sent and G. 726 encoded audio bytes.

20:42 - This is the real payload and audio data checksum bytes to see that the data is valid at the receiver.

20:53 - Scotty is transmitting each packet symbol by symbol, and when all 8,000 samples have been transmitted, the software stops and waits for the one second interval to elapse.

21:09 - Okay. So Scotty is now transmitting the data to free space and the electromagnetic waves are propagating in the area.

21:24 - And the reason why we’ll talk now about the radio path or the wave path.

21:35 - Scotty is transmitting the data from the computer, which is seen on the left, to the right side of the graph you can see of the chart.

21:45 - You can see the reception equipment, which comprises an antenna that converts the electromagnetic waves to time varying current.

21:57 - After that you can see LNA is amplified that amplifies these weak signals, and then an SDR receiver that receive the signals samples the signals and passes the samples to a reception computer that runs a software named Spock that is extracting the data from the signals.

22:21 - In the middle you can see a photograph of this reception equipment.

22:30 - Hear you you can see how CK, the wave, the electromagnetic waves that are emitted from the CK PCB traces is received 50 feet away from the source computer.

22:47 - You see here, power versus frequency band, and you should expect for a fixed frequency, fixed clock frequent to see all the energy concentrated on a single frequency, the clock frequency, as you can understand, this is not the case.

23:16 - The manufacturers are shifting the clock in small portions up and down, up and down.

23:29 - And in this graph, it would be right and left, right and left, and they are doing so to reduce the average power per frequency.

23:44 - And why is that? Both cars manufacturers and computer manufacturers has to pass electromagnetic waves, emission tests.

24:00 - These emission tests are required to get a regulation approval.

24:05 - And if all of the energy would have been concentrated on a single frequency, they might not pass the test.

24:14 - The power might be too large and pass the threshold of the test and the car or the computer will fail the test.

24:28 - To better prepare for these tests the manufacturer are spreading the energy on a small frequency event, and this way they are lowering the average power period frequency.

24:42 - And by this method, they are improving the chances of passing the regulation tests.

24:51 - And this is why the signal looks the way it is.

24:56 - Okay. So we spoke about Scotty. Now let’s speak about Spock.

25:02 - Here you can see the screen of Spock, on the left top side, you can see the SDRs list.

25:09 - These are these as the receivers available on the computer and below that you can see center frequency, which is the frequency that you need to set to receive the data, below that you can see to gain controls.

25:25 - They are used to set the system game, the SDR system game, and to get the best result you need to tune all three of them, the center frequency, the gain reduction and the LNA state.

25:38 - Once you set the frequency and the system gang, and you get good reception, all you need to do is to check the play audio checkbox below the system gain and hear the audio.

25:50 - In the middle portion of the screen, you see the sample versus time graph.

25:59 - Here you can see the wave forms. The samples are creating wave forms.

26:05 - And here you can see two symbols and shape of the wave forms is highly influenced by this breathing technique I explained earlier, the spread spectrum club generation, that shifts the clock up and down or the graph right and left.

26:25 - And this is how it looks like overtime. Below that you can see three check boxes are used for debugging.

26:34 - The most important of them is the clear numbers on the right, because it is clearing the statistics on the right.

26:41 - And on the right side of the screen, you can see all sorts of information, which helped me develop the software and analyze the quality of the reception.

26:54 - You can see how many samples are for iteration, how many good packets were received, last packets that are lost and the good packets ratio, which is important because it is indicating the quality of the reception and other types of data.

27:13 - Okay. What is Spock doing? Well, it is doing a lot.

27:21 - Spoke is doing two batches of tasks. The first batch of task is dealing with the samples, the raw samples that are being picked up from the air and analyzing and processing these signals and getting the symbols out of the samples.

27:43 - And the second batch of tasks is working with the symbols to recover the data.

27:49 - So let’s speak about the first batch of tasks.

27:54 - Spock is setting up the SDR receiver. It is receiving psychic batches of samples from the SDR receiver.

28:00 - It is calculating the absolute amplitude of the samples.

28:03 - Don’t be intimidated. There’s a graph in the next slide explaining better, and it is filtering the data with the low pass filter.

28:12 - It is calculating the amplitude threshold to recover the symbols.

28:16 - And it is recovering the symbols using all of this data.

28:20 - And it saves the length of each symbol, the duration of each symbol in a buffer.

28:28 - You can see it in the graph, and I hope it will be much clearer.

28:35 - At the top graph we see the absolute value of the samples, and you can see the symbols here, power versus time.

28:46 - And in the middle graph, you see the filtered value and it looks much more like digital data.

28:55 - And in the lower graph, you see the digitized data, the recovered symbols.

29:04 - As I spoke earlier, Spoke is doing two batches of tasks.

29:07 - This is the second batch. Now that it has the duration of each symbol, it has the symbol value.

29:15 - So it is looking for the header bytes, the header symbols, if you recall, each packet starts with header bytes and when you have the symbols, it starts with header symbols.

29:28 - Once it found the header symbol, it can recover the packet.

29:33 - So it is recovering the data packet from the symbols, and then it is using for error correction, the coding to correct errors in the data, if any, and afterwards it’s verifying packet validity.

29:48 - If the packet is valid, then it is decoding the audio using a G. 726 decoder.

29:55 - And it is storing the PCN samples in a buffer.

29:59 - If there are any missing packets, lost packets, it is filling the PCM samples a buffer with zeros, and then it is playing the other.

30:09 - That’s the whole circle between Scotty and Spock.

30:17 - Let’s talk about tests, the first batch of tests that they did had the following properties, time constant was set to 14 microseconds.

30:29 - The data packet structure was four header bytes, 20 Reed-Solomon forward error correction parity bytes, a single audio packets counter, and 63 encoded audio bytes.

30:43 - And I used two beats per PCM encoding, fair PCM sample encoding and last but not least two audio data checks and bytes.

30:57 - Each packet was transmitted with four beats per symbol.

31:01 - I took every byte divided into two nibbles and transmitted four bits per symbol.

31:12 - Here you can see the computers I use for the tests.

31:16 - One was a laptop computer, and one was a desktop computer.

31:23 - You can see here the hardware of the two computers.

31:30 - Here you can see the setup in my apartment, on the left you can see the laptop computer on a table, on the right you can see the reception equipment and in the middle, you can see the corridor inside the apartment.

31:47 - And at one end, you see the laptop computer.

31:50 - On the other end, you see the antenna. Here you can see the same setup, but for the desktop computer on the left, you can see the desktop computer on the table, on the right the reception equipment and in the middle of the corridor with both sides.

32:11 - Okay, let’s see some tests. Here you can see Scotty on a laptop.

32:23 - It’s in flight mode and here it begins to transmit.

32:41 - And now that you got a good sense of the raw bit rate time working backwards through the reception equipment, this is the reception equipment, the antennae, low noise amplifier and SDR receiver.

33:18 - - [Announcer] Despite the striking fact that most of the scientist that the world has ever known– - Flight model of course.

33:29 - And this is Spock. - [Announcer] Scientific manpower is doubling every 12 years in a rate of growth, more than three times, that of our population– - Lets clear the numbers.

33:40 - - [Announcer] As a whole despite that best sketches of the unknown and the unanswered and the unfinished still far outstrip our collective comprehension.

33:55 - (static sound) We chose to go to the moon in this decade and do the other thing.

34:06 - Not because they are easy, but because they are hard because that goal will fare to organize and measure the best of our energies and skills, because that challenge is one that we’re willing to accept.

34:22 - One we are unwilling to postpone and one we intend to win and the other too.

34:28 - (Audience claps) - And that was the laptop.

34:34 - This is the desktop, you can see raw bit rate.

35:08 - And this is Spock. - [Announcer] Scientific manpower is doubling every 12 years in a rate of growth, more than three times that about population as a whole, despite that the best sketches of the unknown and the unanswered and the unfinished still far out step our collective comprehension.

35:35 - (static sound) We set sail on this new scene because there is new knowledge to be gained and new rites to be won, and they must be won a new on the progress of all people.

35:58 - - And that’s the first batch. Here are the test results.

36:03 - I got a good audio and good the average bit rate and I even got good packet ratio, but I noticed something interesting.

36:18 - I got on the desktop better ratio when the monitor was turned off, then when it was turned on.

36:29 - So I started to investigate this, when examined, the signals understood that the desktop computer is the meeting signals, which Scotty did not generate.

36:46 - And the computer stops transmitting these signals once the monitor is turned off by the windows power plan.

36:54 - So since I got better results with the monitor off, I’ve decided to set the parameters, the packet structure differently for a second batch of tests and try to achieve better audio quality.

37:18 - So I set the time constant to eight microseconds.

37:22 - I used 4 Reed-Solomon forward error correction parity bytes instead of 20 in the first batch.

37:28 - And I used three bits first PCM sample and coding, instead of two.

37:36 - Let’s see what I got. This is the desktop of course.

37:45 - And you can see a higher bit rate, and this is Spock.

38:11 - And as you can see, there are a lot of lost packets.

38:17 - The audio quality is quite poor. The reception quality is quite poor, and this is because the monitor is still on.

38:30 - So let’s wait a few seconds to see how it will go when the display will be off.

38:45 - And this is with the display off. You can see that the lost packets indicator has halted and the good packets ratio is increasing and we get good audio.

38:58 - - [Announcer] The best man that’s learned to use the skins of animals to cover them.

39:02 - Then about 10 years ago, under this standard, man emerged from his caves to construct other kinds of shelter.

39:11 - - Clearing the numbers. (static sound) - [Announcer] Many years ago, the great British Explorer, George Mallory, who was to die on Mount Everest was asked, why did he want to climb it? He said, because it is there.

39:31 - Well, space is there, and we’re going to climb it and the moon and the planets are there, and new hopes for knowledge and peace are there.

39:40 - And therefore, as we set sail, we have God’s blessing on the most hesitant and dangerous and greatest adventure on which man has ever embarked.

39:52 - Thank you. (Crowd applauds) - It’s a wonderful speech by JFK, and I recommend you all to listen to it.

40:00 - It’s a great speech. So these are the test results.

40:05 - I got better audio and better bit rate and better packet rate.

40:12 - Then everything is great. The whole project was designed around CK, the command clock, but it is important to remember that other signals are being transmitted as well.

40:31 - On the same time we have the four basic signals here, but there are more derive the signals from these signals.

40:39 - And there are a lot of signals being transmitted at every symbol transmission.

40:49 - So if you can’t get your data on one frequency, you might find it on different frequencies.

40:55 - Let’s see an example of that. Here you can see the power versus frequency of a signal which equals the command clock divided by two.

41:12 - And you can see good power and here you can see that Spock receives it well, we are at 99. 6 good packets ratio.

41:23 - The only difference you may see is in the wave forms, the wave form of half of CK is different from the wave form of CK.

41:32 - And if you want to receive this signal instead of CK, then you need to adjust Spock to process the samples with this wave form to get the best results.

41:49 - But as you can see, this was not handled or tampered in any way and it’s just gives good reception.

42:00 - Okay. So let’s talk about conclusions.

42:04 - The first are fun conclusions. First it works.

42:06 - Yay. The second conclusion is that my apartment is too small for the range tests.

42:15 - I had enough power I could have gone further, but that’s the length of the corridor.

42:20 - So that was it for me. And they got so excited that I’ve made the jingle for Tempest Radio Station.

42:28 - Let’s hear it. ♪ Tempest Radio ♪ That is the jingle, but let’s talk about more alarming conclusions.

42:40 - First, timed memory transfers are easy to produce.

42:45 - It’s only memory transfers and you can leak data just like you can leak audio because as you saw, the audio was already digitized, they could have passed any other pillow that I could choose.

43:02 - You can use this method on air-gap computer.

43:06 - You look at an air-gap computer. It doesn’t have any radio based communication channel, but if it has the GPU, then you can use this method to get the information out of it.

43:19 - And this is most important during non-working hours because the GPU is either, there is no supervision, the monitor can be turned off to achieve maximum bit rate either by the attacker or by the companies, the IT policy and the attacker can choose the time of transmissions.

43:43 - For example, it can hide the reception equipment in the parking lot and choose the data to be transmitted from 9:00 PM till midnight, and get the data.

44:00 - Everything I spoke about is not supervised by any software, not by antivirus, firewalls, port monitoring, software, whatever.

44:10 - And this is important not only to, for example, extract plans and design from internal networks, you can also do it on open networks, networks that are connected to the internet because nobody’s monitoring this channel.

44:26 - It’s an open channel. And since nobody is monitoring, you can pass whatever you want.

44:32 - And as long as you can hide the reception equipment and get the data out, you can enjoy Tempest Radio.

44:44 - Thank you very much for watching, here are the links to the source code on GitHub for both Scotty and Spock.

44:53 - And here you can see the references from my work.

44:56 - Thanks again. And I hope you enjoyed it. .